Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Analysis ID:1541680
MD5:7b5ead3041ec05071ee6b28913d72547
SHA1:8af0a3f29aff1d0fd9ab792539ff1a1fe7a32ad2
SHA256:e999cb5dcdea4d51a6178dfda3248fdf812d90841545a5ff4bbfaeac95e31c11
Tags:exe

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Contains capabilities to detect virtual machines
Entry point lies outside standard sections
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeAvira: detected
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeJoe Sandbox ML: detected
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

System Summary

barindex
PE file contains section with special chars
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: section name: .LW:
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: section name: .3*9
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000000.2074287155.00007FF6843BF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRuntimeBroker.exe` vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000003.2093691744.00000228D30CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000003.2093747211.00000228D30D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameD3D10Warp.dllj% vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeBinary or memory string: OriginalFilenameRuntimeBroker.exe` vs SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Source: classification engineClassification label: mal76.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeSection loaded: d3d10warp.dllJump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic file information: File size 14430720 > 1048576
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: Raw size of .3*9 is bigger than: 0x100000 < 0xdc1800
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: initial sampleStatic PE information: section where entry point is pointing to: .3*9
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: section name: .LW:
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: section name: .UKD
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeStatic PE information: section name: .3*9

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeMemory written: PID: 3180 base: 7FF8C8A50008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeMemory written: PID: 3180 base: 7FF8C88ED9F0 value: E9 20 26 16 00 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeFile opened / queried: HGFSJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeFile opened / queried: VBoxMiniRdrDNJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D30A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\.\VBoxMiniRdrDN
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D30A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemupcivideo.sys
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D3090000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \.\HGFS
Source: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe, 00000000.00000002.2093934740.00000228D30A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemupci.sys
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeProcess information queried: ProcessInformationJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683E4F7EEJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683F2EA22Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683F0CD52Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683E9FCFDJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Indirect: 0x7FF6835EDEA6Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683E65903Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683E4854BJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtProtectVirtualMemory: Direct from: 0x7FF683DBE7D5Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtMapViewOfSection: Direct from: 0x7FF683E09A76Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtClose: Direct from: 0x7FF683E9170F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exeNtUnmapViewOfSection: Direct from: 0x7FF683F16848Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Virtualization/Sandbox Evasion		1
Credential API Hooking		11
Security Software Discovery		Remote Services1
Credential API Hooking		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe18%ReversingLabs
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe100%AviraHEUR/AGEN.1313195
SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1541680
Start date and time:2024-10-25 01:35:10 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Detection:MAL
Classification:mal76.evad.winEXE@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • VT rate limit hit for: SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):7.820751850746217
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
File size:14'430'720 bytes
MD5:7b5ead3041ec05071ee6b28913d72547
SHA1:8af0a3f29aff1d0fd9ab792539ff1a1fe7a32ad2
SHA256:e999cb5dcdea4d51a6178dfda3248fdf812d90841545a5ff4bbfaeac95e31c11
SHA512:205e5fa420ff14a561f54489a4ad40bbdae38b57d9c379870b7fb0a36630da2e6af1a297baaabdd7b80f0a92c05e216d00256ff24bcdb27a59003e4b826ce2ac
SSDEEP:393216:t7ScNfOWdc5SaSwgXtDwS8WzRY1p+xUnmlf:5FNfOUaSwg98j1pK
TLSH:C3E622E680D921F0E4D74A50624E6BCE3190A0AA09BD7D2D3EC61C429F36EEF554DF63
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...*R.f.........."....(.....|.......;.........@.............................._...........`................................

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x141093beb
Entrypoint Section:.3*9
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66DC522A [Sat Sep 7 13:16:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:2e50f7b4155f4071a4897d1c6c09ad6b

Entrypoint Preview

Instruction
pushfd
inc ecx
push esp
dec ecx
mov esp, 36924E92h
nop
rcl dword ptr [ebx], FFFFFFD8h
inc ecx
and esp, 30AA72B4h
dec esi
lea esp, dword ptr [EA390882h]
push dword ptr [esp+08h]
popfd
dec eax
mov dword ptr [esp+08h], 5918A4D1h
dec esp
mov esp, dword ptr [esp+00h]
call 00007F2910A8EFEBh
jmp far 5A8Fh : 3E46717Eh
adc al, 86h
int 44h
xchg eax, ecx
in al, dx
pop eax
xchg eax, ebx
push ecx
xchg eax, esp
in al, dx
lodsb
pop esp
jns 00007F2910B3B3C6h
push ds
movsb
xlatb
inc ecx
push esp
jne 00007F2910B3B3D2h
sub al, F1h
inc ecx
adc al, 76h
or al, 21h
int3
xor eax, 0C77D440h
and dword ptr [esp+ebp*2+0B87DC64h], edi
loope 00007F2910B3B386h
test ah, al
pushfd
mov dword ptr [ecx], ecx
les ebp, fword ptr [esp+edi*2-1Ah]
retf C6B2h
pop edi
into
sbb dword ptr [esi-7Fh], ecx
and dword ptr [esp+eax*4-67636410h], edi
dec ecx
daa
mov eax, dword ptr [30F10C27h]
ret
xor al, 26h
sbb eax, 6A193E25h
xchg eax, edx
mov word ptr [esi-5Eh], fs
push eax
loop 00007F2910B3B365h
jns 00007F2910B3B40Ah
jle 00007F2910B3B375h
pop edi
adc edx, edx
push FFFFFFA3h
and byte ptr [eax+4Bh], dh
mov dword ptr [29785CB8h], eax
mov ebx, 895CB8A3h
cmp byte ptr [ebx-5Dh], bh
mov eax, 2710585Ch
mov dword ptr [16555CB8h], eax
iretd
xor eax, 955CA22Ch
pop ss
pop ds
cmc
sub eax, 00655CA2h

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x10033100x1b8.3*9
IMAGE_DIRECTORY_ENTRY_RESOURCE0x15f00000x548.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x15eb3900x3408.3*9
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x15ef0000x118.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x15eb2500x140.3*9
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x82c0000x178.UKD
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000xfd4f0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x110000x599c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x170000xc700x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0x180000xa980x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.LW:0x190000x81253f0x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.UKD0x82c0000xd680xe00a8e6280e4d8de910fbb7beae9f090f3fFalse0.043247767857142856data0.3165684754014781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.3*90x82d0000xdc17980xdc180082ffa1bf70e3bb8720d1536464d088aeunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc0x15ef0000x1180x2007503c704deb8a27dc15595a62266fcdfFalse0.3984375data2.703668346071651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x15f00000x5480x600997e3689feb443a51a4bfc8997b15d95False0.404296875data3.836717191739015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x15f00a00x320dataRussianRussia0.43
RT_MANIFEST0x15f03c00x188XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5892857142857143

Imports

DLLImport
RPCRT4.dllUuidToStringA
KERNEL32.dllGetModuleFileNameA
USER32.dllEnumDisplaySettingsW
ADVAPI32.dllRegQueryValueExA
SHELL32.dllShellExecuteExW
MSVCP140.dll?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z
WS2_32.dllWSAStartup
d3d9.dllDirect3DCreate9
VCRUNTIME140_1.dll__CxxFrameHandler4
VCRUNTIME140.dll__C_specific_handler
api-ms-win-crt-stdio-l1-1-0.dllfflush
api-ms-win-crt-heap-l1-1-0.dllmalloc
api-ms-win-crt-utility-l1-1-0.dllsrand
api-ms-win-crt-filesystem-l1-1-0.dll_unlock_file
api-ms-win-crt-time-l1-1-0.dll_time64
api-ms-win-crt-runtime-l1-1-0.dll_cexit
api-ms-win-crt-math-l1-1-0.dll__setusermatherr
api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
ntdll.dllRtlCaptureContext
KERNEL32.dllGetSystemTimeAsFileTime
KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress

Possible Origin

Language of compilation systemCountry where language is spokenMap
RussianRussia
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:19:36:04
Start date:24/10/2024
Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Vmprotect.6275.24214.exe"
Imagebase:0x7ff682dd0000
File size:14'430'720 bytes
MD5 hash:7B5EAD3041EC05071EE6B28913D72547
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

No disassembly